hxxps://pub-4766015fdf5b413d866c3bdd90c68b40[.]r2[.]dev/randdannu[.]htm

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pub-4766015fdf5b413d866c3bdd90c68b40.r2.dev/randdannu.htm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547808610340465"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1636	chrome.exe
1636	chrome.exe
932	chrome.exe
932	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1636	chrome.exe
1636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 464	1636	chrome.exe	89
PID 1636 wrote to memory of 464	1636	chrome.exe	89
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 1208	1636	chrome.exe	92
PID 1636 wrote to memory of 5108	1636	chrome.exe	93
PID 1636 wrote to memory of 5108	1636	chrome.exe	93
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94
PID 1636 wrote to memory of 3248	1636	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pub-4766015fdf5b413d866c3bdd90c68b40.r2.dev/randdannu.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff36109758,0x7fff36109768,0x7fff36109778
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:2
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2892 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2940 --field-trial-handle=1892,i,15764296333040681176,13531824854034162096,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1fd9273e-365a-4cc9-863d-a371fb4b584b.tmp

Filesize
6KB

MD5
922461c4100ad35b57600addac41fd66

SHA1
465de79a9c7f0e5f5280734f1de7b4cf85db2c91

SHA256
b7246b6515b224d823a4db3d8cbb0b237d4f32aba19df97b5ca870357b67360d

SHA512
9678a36db1dd8026613c8f42a3f3bf6bdfaff97b108b5e2cb1123b26ca374a9f3cbbb956bce66ceb527bd566c3bccd8e01f6ddbe1ec958457b54fa14a9017146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
26KB

MD5
df3d48946e8d3f5a83608308edbb4b86

SHA1
47b9c40c97abf2658df96b1c06109324e15e1a00

SHA256
570a6631252b8a52df4de0e953ae77dbdf524dfc3637cda2840494a0d2b49499

SHA512
36ec1cec72dc3245730c813277c645525473cc5232e85cd23503b8593d90264f335e61a16d364a1e6c41922820b40ba7c0f46b19f4b91db6a0cf5e31e778ddea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
792303e72ec834d769e6316db43c6e5f

SHA1
9fef2a22002b85d5571e073a50f6e184942d66c7

SHA256
4e47470e5a34d8bc2b8c7f9be08c689b1944e135e2dc07e8542d57f54b66b58e

SHA512
d3cadcafc8245a49719c25a243e7d8f7a0639c5c01b570e9621b14c6b8e6a6587994adf34c9ec664e7cfdc2c6a4c495d3085fd5ad2f6ec22e71727a272dad680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e4388b881a1186e99e0f333e45b18675

SHA1
d6e212322ba4a6ecac8381d1943dcfb3fa02e290

SHA256
2a3ea19bbbbd3438f6184a977c1e0dabb61dc6067ea736bbfe773967e0865517

SHA512
53f285ce2db44900025c086a4a434206ef760cb5611a4bc136504fa837e9a7aabef744b2598e228220ac59acb9d342edeac074e63a57d8828649f89f9ff4c0d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e781a9a3ba999e71f45847247840b4fa

SHA1
10335a8ee3a5136742b32fbc57554c37b7bd0ce1

SHA256
9a1dbe3666b9bcc2a7fa4c148c5483c904c1183e0723b2ff718765f190570ec4

SHA512
0a56f844e66f9fca5cdeff3163a73e8759648f1b755083d4fa45ca3423ce67d105edc0c64ee4c73caadfcb8336f5feb03b281016056bb2cdad6ed15db257ea47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
f12788e426caff444d599c29c836e1ef

SHA1
c6988de016e6cef97164e500cb09ef50e39d34a5

SHA256
e3fc07497ac20d29cbf1f627700e3c2ad3c3bbfcc11810d3e77a4be83acef6d1

SHA512
37908103e535da78b1be0fef2fecc9e0eb1ae5ec8541f0d6b10911da5bcfa5c55f312b3aa6e8e3d5c8246d7dc6af0f0ea44e30d5fc6f532d5f1bdddbf11e75da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b16ae5de923854371ce6ea4d824d9b33

SHA1
c82cebb64d97f905a8abcc3cd3908732a043830e

SHA256
4f5570e7afcd7803452892e12eaa9beb495da8b0a3924b6f36ec357ceaa090f9

SHA512
8250c0c0b49e613a92f3e5d115b302630b39ba86412b08c68a467c81376e7d012e7d16cdd7d96d82727bc55c472797e5e01eb285339ac557da39ec8825dccbe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
2982065dead570acfb89f39e72dacdd3

SHA1
bd812f4b5c5e02419e2afbadfbf70834485e89c3

SHA256
8c3ef7f8a412ec828bc1b314069f2f62531e81ed45a8b9d0e679febe6b6f2641

SHA512
78584f38ae909b6b5f88ff21cac5d9ebf0851018200a4b6ff05e5a40124f1e8a7d07d6d52155e04ba65e859991d743eba48ef4eb6a86ddccff8ca1e9028fbdd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit